I've successfully installed the Splunk App for F5 Networks and Splunk App for F5 Access apps into our Splunk 5.0.5 installation. I configured a non-default index for logs to go into named "f5" and configured the input set up for the app to direct data into that new index. That input is configured for source type of "syslog". At this time we only have data coming in from AFM as we haven't completed configuring other modules. I've confirmed logs are appearing in that index and they're of the proper source type ("F5:AFM:Syslog"). However the app refuses to return any results for any of its dashboards regardless of search settings.

I believe the issue is that we're using a different index for the data. When inspecting all of the app's queries I see that they're all prepended with the text "search" which I think is directing Splunk to look in the wrong index. Here's an example of one:

search sourcetype="F5:AFM:Syslog" | stats  count by action src_ip dest_ip dest_port bigip_mgmt_ip hostname src_port _time

If I remove the text "search" from the above query and insert "index=f5" at the beginning the search returns results without issue. Oddly leaving the "search" text while also specifying the index does not produce results.

I've tried the following to correct this:

• A custom eventtypes.conf with stanzas for each F5 sourcetype and a "search = index=f5" line under each
• a custom indexes.conf with the line "defaultdatabase=f5"
• a custom inputs.conf with the line "index = f5"
• editing savedsearches.conf to add "index=f5" to all the "search" items under each search entry that don't already define an index

Evidence seems to indicate that the problem is that the app is searching the wrong index. How in the world do I go about directing it to search the "f5" index I've created?